WordPress WPML Multilingual plugin – better switch if you still use it

This story is not really related but I had to write it. Simply skip if you don’t use WordPress.

I am using WordPress for most of my Websites and some time ago I purchased the WPML plugin for easier handling of multi-language pages. This plugin wasn’t cheap (about 200 Bucks) but I thought it’s worth it. Little later, after using WPML for a while and after almost getting used to the cumbersome UI and weired bugs, I heard rumors about security issues with WPML. So I looked for updates and headed to their support forum. After reading that they are not really able to fix these issues soon because of issues with their update procedure, I took a look into their PHP code. After this, I knew I have to disable WPML immediate and switch to another solution.

It took me quite some time to find and migrate to another solution but thanks God I did. Later I forgot about WPML.

A few minutes ago, I received the following mail:

wpml

So in that mail WPML claims that they updated my password to a strong and secure one (I always thought I am using strong passwords by the way). Further down, they sent me the new password in plain text and EVEN added the Login name (for my convenience I guess) to that mail.

But it got worse. When inspecting the included link they added to the login page (probable even for my convenience) I found it contains the address of a redirect PHP on a completely different server.

At that point, I was pretty sure that this must be one of those usual phishing mails and just in case, I sent a mail to WPML (using the contact form) to inform about this.

Seconds later, they confirmed that this mail was real.

Isn’t that unbelievable ?

I think this finally proves that WPML definitely has no clue about security. So everybody who is still using WPML (probably not too many still) now know that they better switch to something else.

As a site note: WPML can be found on WPML.org which is ok. But WPML.com is available for sale. Imagine what happens if a bad guy would acquire WPML.com. But it’s not cheap I must admit.

Anyways, don’t trust the evil.

Best Regards,

Marcus